Update session cookie key name to be unique to instance in development

Fix https://gitlab.com/gitlab-org/gitlab-ce/issues/31644

Update session cookie key name to be unique to instance in development
177b788c · Eric Eastwood · dd0f8b8c · 177b788c · 177b788c
Commit 177b788c authored 7 years ago by Eric Eastwood
--- a/changelogs/unreleased/31644-make-cookie-sessions-unique.yml
+++ b/changelogs/unreleased/31644-make-cookie-sessions-unique.yml
+---
+title: Update session cookie key name to be unique to instance in development
+merge_request:
+author:
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@@ -10,8 +10,14 @@ rescue
  Settings.gitlab['session_expire_delay'] ||= 10080
 end
  
+cookie_key = if Rails.env.development?
+               "_gitlab_session_#{Digest::SHA256.hexdigest(Rails.root.to_s)}"
+             else
+               "_gitlab_session"
+             end
+
 if Rails.env.test?
-  Gitlab::Application.config.session_store :cookie_store, key: "_gitlab_session"
+  Gitlab::Application.config.session_store :cookie_store, key: cookie_key
 else
  redis_config = Gitlab::Redis.params
  redis_config[:namespace] = Gitlab::Redis::SESSION_NAMESPACE
@@ -19,7 +25,7 @@ else
  Gitlab::Application.config.session_store(
    :redis_store, # Using the cookie_store would enable session replay attacks.
    servers: redis_config,
-    key: '_gitlab_session',
+    key: cookie_key,
    secure: Gitlab.config.gitlab.https,
    httponly: true,
    expires_in: Settings.gitlab['session_expire_delay'] * 60,